Executive summary:
Best practices to improve payment process security and prevent payment fraud
Payment fraud, data breaches, hefty fines! You might not like it, but the recent news increasingly seems to suggest that when it comes to payment security, it's less a matter of if but when you'll face a critical data breach or have to deal with the consequences of payment fraud. As AFP’s 2024 report illustrates, no business is safe in the long run without robust payment process security. While it may take time for vulnerabilities to be exploited, the probability of a security incident over a long enough timeline approaches certainty. And when it comes to payment security, even a little is too much. Is your payment process secure? Can you detect or prevent payment fraud? These are questions no one enjoys asking (because they might not like the answer), but they should. Staying ahead of cybercrime and protecting corporate payments from fraud is foundational to business continuity.
Let's explore the best practices of payment process security.
Meet the Expert: Jouni Kirjola
I had the opportunity to speak with Jouni Kirjola, Head of Solutions and Presales at Nomentia, a seasoned professional with nearly two decades of experience in critical financial technology for international businesses. His expertise in payments, cash forecasting, liquidity management, in-house banking, and reconciliation, coupled with his focus on securing payment processes to prevent fraud, makes him a trusted source in understanding the challenges and solutions of corporate payment security.
The importance of secure corporate payments
Payments are the lifeblood of business. Payment security is vital for companies to protect sensitive financial data, maintain vendor trust, and avoid severe financial losses. Effective payment security measures shield data, transaction details, recipient information, and bank account numbers from unauthorized access. This is particularly crucial for various types of corporate payments, like accounts payable transactions with vendors, supplier invoices, contract payments to partners, and legal and license fees. But also payroll disbursements to employees and loan repayments to financial institutions. Understandably, clients, employees, partners, vendors, and other stakeholders expect their financial information to be secure. Any breach is more than likely to damage a company's reputation and, as a result, lead to lost business.
Beyond stakeholder expectations, adhering to both local and international regulations is mandatory. We've all seen how non-compliance can result in substantial fines and legal repercussions and threaten a company's financial health and continuity. Moreover, data breaches and payment fraud can be incredibly costly, whether through money lost to scammers, fraudulent transactions involving payroll or vendor accounts, or ransom payments following breaches. Implementing strong security measures mitigates these risks.
If a business cannot securely meet its obligations—like tax payments, rent and lease payments, or utility payments—it risks severe financial penalties, service disruptions, and loss of trust, ultimately threatening its survival. This is why robust payment process security is so essential to ensuring both compliance and operational continuity.
Growing threat landscape of payment security: Cybercrime, payment fraud, and sanction violations
Even a brief look at recent payment fraud and security events proves one thing: the threat landscape of corporate payments is constantly growing more complex and poses increasing challenges for all businesses. For example, in 2020, Puerto Rico's Industrial Development Company lost over $2.6 million to a Business Email Compromise (BEC) scam. In November 2023, a ransomware attack on ICBC Financial Services disrupted systems used to clear US Treasury trades, causing significant market disruptions. Conversely, in March 2024, Sam Bankman-Fried, the founder of FTX, was sentenced to 25 years in prison and ordered to forfeit over $11 billion after being convicted of money laundering and securities fraud. A joint August 2024 report by The European Central Bank (ECB) and the European Banking Authority (EBA) highlighted how the total value of fraudulent transactions in the European Economic Area (EEA) was €4.3 billion in 2022 and €2.0 billion in the first half of 2023.
If not anything else, these examples underscore how payment-related fraud is becoming more rampant. Cybercriminals are constantly developing new tactics to exploit both digital vulnerabilities and regulatory complexities, and this has led to payment security becoming a priority for every business. The rise of digital payments has made financial data a prime target for both internal and external threats. Internally, employees may exploit system vulnerabilities, while externally, fraudsters employ diverse tactics to deceive businesses into making unauthorized payments.
That said, while securing payment processing from data breaches and fraudulent or erroneous payments is one critical aspect of today's business, addressing risks related to whom those payments are made is another. In the emerging regulatory environment, businesses must constantly ensure they are not transacting with prohibited entities or individuals. Sanctions and the financial penalties associated with them have gained increased importance in securing business continuity due to the growing complexity of international regulations and the heightened enforcement efforts by governments worldwide. In recent years, regulatory bodies have imposed stricter sanctions on countries, organizations, and individuals involved in illegal activities, like money laundering, terrorism financing, and human rights violations. Failure to comply with these sanctions can result in substantial fines, asset freezes, loss of business licenses, and even criminal charges: For example, in 2023, Deutsche Bank was fined $186 million for sanctions and anti-money laundering violations, and in 2022 when Danske Bank was fined $2 billion for violations related to sanctions involving high-risk customers from Russia, which pales in comparison to Binance’s $4.3 billion settlement with US authorities in November 2023.
Why so many companies do not take payment process security and fraud prevention seriously?
Despite increasing pressures, many companies remain slow to act. This reluctance can stem from several factors:
- Cost: Implementing robust security measures can be expensive. Smaller businesses, in particular, may find it challenging to allocate the necessary budget for advanced security systems. The costs involved with maintaining these systems are likely to lessen investment enthusiasm.
- Perception of risk: Some companies may not fully grasp the extent of risks linked to payment fraud and cybercrime or believe they are not likely targets. Additionally, the rapidly evolving nature of cyber threats can be overwhelming, which can make it difficult for businesses to keep up with the latest trends and best practices.
- Complacency: Businesses that have not experienced a breach may develop a false sense of security, thinking their current measures are sufficient. Others adopt a reactive rather than proactive approach and only address security issues after an incident occurs. Moreover, some companies aim to meet only the minimum regulatory requirements, which can leave them vulnerable to sophisticated attacks.
- Operational disruptions: Implementing new security measures can disrupt daily operations. Companies may be reluctant to make changes that could temporarily affect their business processes. Additionally, stricter security protocols can sometimes result in more cumbersome operations, which businesses fear could hinder their business objectives.
Many of the challenges related to inadequate payment process security and fraud prevention converge at a critical point: Effective payment controls are a primary concern for treasurers and cash managers. At the same time, IT departments are looking at the issue from a broader risk management perspective. It's not unheard of that this intersection often leads to friction, as each group focuses on different aspects of security and risk management.
However, businesses are unlikely to avoid improving payment process security for long. For instance, the National Automated Clearing House Association (NACHA) implemented new rules in June 2021 to enhance security in the ACH Network by requiring account numbers to be unreadable while stored electronically. Similarly, the General Data Protection Regulation (GDPR) in Europe, while not in any way new, sets stringent requirements for handling payment data, which include encryption and regular security assessments. Other regulations, like the Digital Operational Resilience Act (DORA) and the proposed Instant Payments Regulation, also put the protection of financial transactions and payment fraud prevention at the center stage.
As Jouni comments, "The reluctance to take emerging payment security threats seriously is a major reason behind many of the recent and forthcoming regulations. Some companies take the initiative, while others need to be pushed."
Building blocks of payment process security and fraud prevention
While it's easy to argue that businesses that take a proactive approach to payment process security and fraud prevention will not just survive but thrive, it's not as easy to make it happen. The security of payment processes is more critical than ever, but at the same time, the rapid evolution of technology, including artificial intelligence (AI) and machine learning (ML), has made it easier for fraudsters to develop more sophisticated attack methods. To defend against these evolving threats, organizations must adopt a comprehensive approach and integrate multiple layers of security measures, robust technology frameworks, and even employee awareness.
Protecting payment security and preventing fraud: The intersection of information security and information assurance
Effective payment process security begins with a clear understanding of the overlap between information security and information assurance. Although these terms are often used interchangeably, they represent distinct but complementary concepts that, together, help organizations focus on securing payment processes and preventing fraud.
Information assurance is concerned with managing and mitigating the overall risks associated with a company’s data. It aims to ensure its confidentiality, integrity, and availability. On the other hand, information security—sometimes referred to as cybersecurity—focuses on preventing unauthorized access, use, disclosure, disruption, modification, or destruction of data. Understanding the intersection of these domains is vital for developing a secure payment process that protects against both internal and external threats.
The triad of payment security: Confidentiality, integrity, and availability
At the core of any secure payment process are three foundational principles: confidentiality, integrity, and availability. These principles serve as the building blocks of payment security and fraud prevention.
1. Confidentiality:
Confidentiality ensures that sensitive information is accessed only by authorized parties and is protected from unauthorized exposure. In the context of payment processes, confidentiality is maintained through mechanisms like encryption, tokenization, and access control. Encryption converts payment data into unreadable formats that can only be decoded by authorized users, while tokenization replaces sensitive data with non-sensitive equivalents (tokens) that are useless if intercepted. Access control restricts access to payment data based on predefined rules, ensuring that only authorized personnel can view or modify sensitive information.
2. Integrity:
Integrity ensures that information remains accurate and unaltered from its intended state during storage, processing, and transmission. For payment security, this means that the transaction data must remain consistent and accurate throughout its lifecycle. Techniques like hashing and checksums are used to verify that payment data has not been tampered with during transmission. Validation mechanisms further ensure that transaction details—such as payment amounts and account numbers—are correct and consistent. This involves validating data inputs and outputs at every stage of the payment process.
3. Availability:
Availability ensures that information and systems are accessible and operational when needed, minimizing downtime and disruptions. In the realm of payment security, this involves maintaining backups, implementing data replication strategies, and developing disaster recovery plans to ensure continuous access to payment systems, even in the event of a failure. Availability is essential for minimizing service interruptions and ensuring that legitimate transactions can be processed without delay.
"Payment data validation is not just a precaution; it's the first line of defense in ensuring the security of transactions and maintaining business continuity." - Jouni Kirjola
Beyond technology: The human factor in payment process security
While technology plays a crucial role in securing payment processes, organizations must also address the human element of security. Many security breaches occur not because of technological failures but due to human error or malicious intent. This makes it imperative to focus on both technological controls and the people who operate and interact with these systems.
"Understanding how your payment systems handle information security is vital. It provides insight into their ability to protect sensitive data and prevent breaches." - Jouni Kirjola
1. Establishing strong payment controls:
To secure payment processes, organizations must implement a range of technical controls, including access management, authentication protocols, payment control rules, and regular security assessments. Access control mechanisms should be stringent, involving restricted access to sensitive data, multi-factor authentication, and routine access reviews to ensure that only authorized individuals have the necessary permissions.
2. Preparing for the unexpected:
Despite best efforts, no system is immune to attack. Therefore, organizations must build their payment security on systems that maintain comprehensive audit logs and have developed robust incident response, disaster recovery, and business continuity plans. Audit logs provide a record of all system activities and transactions, enabling organizations to detect and respond to suspicious behavior quickly. Incident response plans outline the steps to be taken in the event of a security breach, while disaster recovery and business continuity plans ensure that payment processing can continue even in the case of systemic failure.
3. Cultivating a security-first culture:
Technology alone cannot secure payment processes. The human element remains the weakest link in any security strategy. To address this, organizations must prioritize employee training and awareness. This can involve educating employees about the latest security threats, phishing scams, and social engineering tactics, as well as reinforcing the importance of following security protocols. Regular training sessions, security drills, and awareness campaigns can help employees recognize and respond to potential threats effectively.
Is your payment system secure? Asking the right questions about payment security and fraud prevention
When focusing on payment process security, it's crucial for businesses to ask several questions to ensure robust protection against fraud and security breaches.
Here are some key questions to consider:
1. What security measures are in place to protect sensitive payment data?
This question addresses the safeguards around payment data, such as encryption, tokenization, and secure storage. Ensuring that sensitive data is protected prevents unauthorized access and potential data breaches.
2. What mechanisms are in place to detect and respond to fraudulent activities?
Why it's important: Understanding the fraud detection and response strategies helps identify potential risks and ensures that the system can react quickly to suspicious activities, minimizing the impact of fraud.
3. How frequently is the payment system tested for vulnerabilities?
Regular security testing, such as vulnerability assessments and penetration testing, helps identify and address weaknesses in the system before attackers can exploit them.
4. What are the protocols for handling security breaches or payment fraud incidents?
Having a clear incident response plan ensures that the business can quickly and effectively manage and mitigate the impact of a security breach or fraud incident, preserving customer trust and minimizing damage.
5. What are the procedures for updating and patching the payment system?
Why it's important: Regular updates and patches are essential for addressing known vulnerabilities and ensuring that the payment system remains secure against evolving threats.
Steps to payment process security
Real-world payment process security with Nomentia: A three-level approach
For payment data validity
As an example of secure payment processes, let's consider a global company with an extensive network of suppliers and partners that handles numerous payments daily using its finance department. To manage these transactions effectively, the company relies on both manual data entry and automated systems. One day, an accounts payable clerk, while entering payment details for a $500,000 invoice to a key supplier, mistakenly enters the wrong bank account number. Instead of the supplier's bank account, the clerk types the account number of a different entity, which could be a dormant or incorrect account that is not associated with any business relationship.
This error, if undetected, could result in a substantial payment being sent to the wrong bank account, leading to multiple repercussions. The supplier would not receive their payment on time, which could strain the business relationship and disrupt supply chain operations. Moreover, reclaiming the funds from the wrong account could be time-consuming, costly, and legally challenging. Such a mistake could also trigger financial and reputational risks for our example corporation, including penalties for late payments and potential internal audit findings or regulatory scrutiny for weak financial controls.
Fortunately, our example corporation has recently integrated Nomentia Payments, a centralized payment hub that includes advanced automated data validation and anomaly detection features. When the accounts payable clerk submits the payment batch for processing, Nomentia Payments’ automated system kicks in to perform a series of checks on each transaction.
For payment fraud and error detection
A similar but eventually more impactful situation emerges when another organization, this time a multinational manufacturing company, processes hundreds of payments every day to suppliers, contractors, and service providers across multiple regions. The company's finance department relies on a complex mix of manual and automated systems to manage these transactions. One day, an accounts payable employee tasked with manually entering payment data into the system inadvertently transposes two digits in an important transaction—a payment of $1,000,000 meant for a key supplier is mistakenly recorded as $10,000,000.
This small human error goes unnoticed and is transmitted for processing. The incorrect amount could severely impact the company's cash flow, leading to overdrawn accounts, delayed payments to other suppliers, and the triggering of costly penalties. Additionally, such a significant overpayment could raise suspicions about potential fraud, damage supplier relationships, and attract unwanted scrutiny from regulatory bodies. The situation could become even more complicated if the supplier, when receiving the incorrect payment, disputes any attempt to reclaim the overpaid amount.
Fortunately, our example organization has recently implemented Nomentia Payment Process Controls to automate payment rule checks across all its financial systems. As the employee submits the payment file for processing, Nomentia automatically scans the transaction data for anomalies and inconsistencies. In this case, the system identifies the payment of $10,000,000 as an outlier compared to the company's typical payment patterns to this supplier. The automated controls flag the transaction for further review, triggering an alert to the finance team. The system immediately halts the processing of this suspicious payment and notifies the accounts payable manager, providing details about the anomaly detected.
Upon receiving the alert, the manager quickly reviews the flagged transaction and identifies the error. The payment file is corrected to reflect the accurate amount of $1,000,000, and the corrected transaction is resubmitted for processing. The finance team then uses the audit trail generated by Nomentia to document the incident, reinforcing their compliance procedures and internal controls.
Thanks to the automated data validation features of Nomentia the corporation avoids a potentially costly and damaging mistake. The company maintains its cash flow, avoids penalties and reputational damage, and ensures regulatory compliance. Additionally, the incident serves as a learning opportunity for the finance team, highlighting the importance of data integrity and the value of automated systems in preventing human errors.
For sanctions compliance
ABC International, a global trading company, frequently conducts transactions with various international partners. Due to the complexity of global sanctions regulations, the company has stringent compliance measures in place to avoid violations. Despite these measures, a clerk in the finance department accidentally initiates a payment to a business partner that is on a restricted sanctions list. The payment, intended for a legitimate supplier, is a significant amount of $750,000.
If the payment is processed to a sanctioned entity, ABC International could face severe consequences, including hefty fines, regulatory penalties, and damage to its reputation. Such violations can also lead to operational disruptions, legal challenges, and a loss of trust among stakeholders and customers. Ensuring compliance with sanctions regulations is crucial for maintaining the company's standing and avoiding legal complications.
To mitigate these risks, ABC International has implemented the Nomentia Sanction Screening, which is designed to screen transactions against various sanction lists automatically. As the payment is submitted for processing, Nomentia Sanctions Screening performs an immediate and comprehensive check. The system detects that the business partner's name matches an entry on the current sanctions list. This automated detection triggers an alert that the transaction involves a sanctioned entity.
Nomentia immediately halts the payment from proceeding further, and the finance team is instructed to re-evaluate the legitimacy of the transaction. The company's compliance department conducts a thorough review to ensure that all involved parties are properly vetted and that no further actions are taken that could lead to a sanction violation. ABC International avoids a potentially costly and damaging sanctions violation. The payment is prevented from being processed, safeguarding the company from regulatory penalties, legal issues, and reputational damage. The automated screening system proves its value in maintaining compliance and protecting the organization’s financial and operational integrity.
Payment processes secured
Securing payment processes is paramount for business success and continuity. Jouni Kirjola underscored the importance of payment data validation as the first line of defense against errors and fraud. Nomentia’s platform excels in this area, ensuring that every transaction is rigorously verified to uphold accuracy and security. Kirjola also highlighted the critical role of advanced fraud detection systems in identifying and mitigating suspicious activities early, thus protecting businesses from financial losses and reputational harm.
Nomentia’s commitment to helping businesses avoid sanction fines aligns with Kirjola’s emphasis on regulatory compliance. Additionally, Kirjola stresses the need for businesses to understand how their payment systems approach information security. Nomentia addresses this by providing clear insights into its security protocols and helping businesses make informed decisions about their payment processes.
Overall, Nomentia’s platform not only supports payment security through meticulous data validation and proactive fraud detection but also promotes business resilience by ensuring regulatory compliance and transparency in security practices.